Back to all insights
Picture of Shane Brown

Shane Brown

Iceman: The FBI Consultant Who Became a Cybercrime Kingpin

Iceman: The FBI Consultant Who Became a Cybercrime Kingpin

Max Butler stood 6-foot-5 and started as one of the good guys. He worked with the FBI. He built security tools. He helped defend the internet.

Then he hacked the Pentagon.

Then nobody would hire him.

Then he became the biggest credit card thief in U.S. history.

This is how it happened.

The White Hat Who Crossed the Line

By 1997, Max Butler had built himself a reputation in Silicon Valley. He created Arachnids, an intrusion detection database for Snort. He contributed to the Honeynet Project. The FBI recruited him as a confidential informant to track down cybercriminals.

For a kid from Boise, Idaho, this felt like success.

But Max had a problem: he thought he knew better than everyone else.

The BIND Disaster

In late 1998, a critical vulnerability hit BIND domain name servers. Thousands of military and government systems were exposed. Max called his FBI handler at home to warn about the risk.

He felt ignored.

So Max decided to fix it himself. He wrote a program to scan IP ranges, exploit the BIND vulnerability, patch the hole, and install a rootkit with a backdoor on every compromised system.

From his perspective, he was helping. Before his program, anyone could exploit these systems. After his program, only he could.

The program spread fast. Air Force bases. NASA facilities. Department of Defense. Department of Energy labs. When he scanned the Navy’s IP range, so many infected systems pinged back his computer crashed.

Investigators traced everything back to his home in San Jose. The FBI showed up at his door. Max confessed immediately and apologized. The FBI wanted him to turn deeper informant and wear a wire on friends at DEF CON.

He refused.

In 2001, he got 18 months at Federal Correctional Institute in Taft, California. Security researchers wrote letters supporting him. The judge sentenced him anyway.

Max had crossed a line he could never uncross.

Prison: Where Everything Changed

Federal prison became what Max called “a grand university of crime.” White-collar criminals from different backgrounds mixed freely. They shared techniques. They made connections. They planned new schemes.

Max met Jeff Norminton, a con artist with big ambitions and zero technical skills. They would reconnect after Max’s release and change his life forever.

The Impossible Job Search

Max got out in 2002. He tried going straight. He had a wife named Kimi. He had elite skills. Before his arrest, he billed $100 per hour for security consulting.

Nobody would hire him.

He had marquee recommendations from top security researchers. He had demonstrable skills in high demand. None of it mattered. Being a convicted hacker who had compromised Pentagon systems made him radioactive.

He sent what became a legendary email from a halfway house in Oakland: “I’ve got to get a job or they will send me back to the joint. I will work for minimum wage until I get out of the halfway house.”

The responses? Almost nothing. One client threw him a bone and paid him slightly above minimum wage to assemble PCs. Max was homeless. He couch-surfed with friends. His marriage fell apart. His technical skills rusted in storage.

This is where Max’s moral compass started spinning. Society praised his skills and asked for his help. Now society refused to let him earn a living legitimately.

Employment discrimination against people with hacking convictions is widespread and legally permissible. Even today, with major tech companies signing Fair Chance pledges, the reality for someone with a recent conviction remains bleak.

Max looked at his options and made a choice. If the legitimate world would not have him, he would return to the shadows.

This time he would get paid.

Enter the Criminal Partnership

Jeff Norminton resurfaced with a proposition. He knew someone with funding and criminal expertise who needed a hacker: Christopher John Aragon.

Aragon’s resume read like a crime movie. He robbed banks in the early 1980s. High-speed chase through Aspen. Prison time. After release, he dabbled in credit card fraud, then graduated to large-scale marijuana trafficking. That earned him a second federal sentence.

By 2001, Aragon had gone legitimate. He ran an equipment leasing company in Orange County for tech startups. He had a wife and kids and a stable life.

Then the dot-com bubble burst. His business collapsed. Aragon faced the same choice Max did: return to crime or face financial ruin.

The partnership was simple. Max would hack financial systems and steal credit card data. Aragon would handle the physical side: manufacturing counterfeit cards, recruiting crews, and fencing stolen goods.

Aragon funded Max’s operations. He bought him a high-end Alienware laptop and hacking gear. Once or twice a month, Aragon rented a hotel room in downtown San Francisco for Max to use as a hacking base.

The Wi-Fi Setup

Max knew the first rule he violated in his Pentagon hack: never hack from home. So he and Aragon created a system for anonymity.

They bought a large parabolic antenna for long-range Wi-Fi capture. They smuggled it up hotel fire stairs to avoid lobby attention. Max set the antenna on a tripod by the window. He swept for unsecured or WEP-encrypted Wi-Fi networks in San Francisco’s Financial District. Then he piggybacked those connections to mask his attacks.

At first, Max targeted small credit unions and savings-and-loans institutions. He wrote scripts to automatically scrape the FDIC website for lists of small financial institutions. He pulled their IP ranges from the ARIN database. He scanned for vulnerabilities.

He got into systems easily. These regional institutions had minimal security budgets. But converting access into cash proved frustrating. He had compromised multiple networks but had no idea how to monetize the access.

So Max did what any confused criminal would do in 2004: he Googled it.

“How do you make money off of computer crime?”

The search led him to the carding forums.

The Billion-Dollar Criminal Marketplace

Carding evolved from ad-hoc IRC hustles into a structured global economy. In 2001, CarderPlanet emerged from a face-to-face meeting of Ukrainian and Russian cybercriminals in Odessa. It created the template for all underground marketplaces.

CarderPlanet introduced hierarchy, peer review, vendor reputations, and specialized roles. Essentially, it applied Amazon’s e-commerce model to stolen financial data.

By the time Max discovered this ecosystem, multiple English-language forums had sprung up. The most prominent was ShadowCrew. These forums functioned as eBay for criminals. Vendors sold “dumps” (magstripe data containing the cryptographic CVV code necessary to create working counterfeit cards), fake IDs, skimming hardware, and tutorials on everything from social engineering to card cloning.

Dumps sold for $5 to $50 depending on card type and credit limit.

Payment flowed through e-gold, a digital currency backed by actual gold bullion. E-gold required no identity verification. Accounts existed under names like “Mickey Mouse” and “No Name.” At its peak in 2006, e-gold had five million accounts processing billions of dollars.

Max had found his ecosystem. But he had no reputation. No vendor reviews. No trust.

So he did what he did best: he hacked everyone.

The Free AmEx Trap

Posing as a well-known vendor, Max sent messages across multiple forums announcing excess American Express dumps. He was giving them away for free. All recipients had to do was click a link.

Thirty to forty carders took the bait. They got instantly infected with a zero-day Internet Explorer vulnerability. Max got administrative access to their systems.

Suddenly, Max was inside the entire carding supply chain. He could see how the stolen card economy worked. He could see who the major players were. He could see where the most valuable data was stored.

He began systematically stealing dumps from the criminals who had stolen them first. Then he sold those dumps to Chris Aragon’s operation in Orange County.

Aragon had transformed a rented apartment into a full-scale credit card counterfeiting factory. Using templates from the forums, blank plastic cards from Chinese suppliers, and embossing equipment, he produced hundreds of flawless fakes weekly. The holograms came from overseas. The magnetic encoding was done with $200 skimmers.

Aragon crafted fake driver’s licenses to accompany each card. Sometimes he used high-profile names. One ID read “Chris Anderson,” borrowing the name of Wired’s editor-in-chief.

Aragon recruited crews. Primarily young, attractive college-age women who could walk into Nordstrom or Bloomingdale’s without raising suspicion. He sent them out daily with stacks of cards. They purchased designer handbags, jewelry, and high-end electronics. Aragon’s wife then resold everything on eBay.

In three years, they made $780,000 from eBay sales alone.

The ATM Cashout Bonanza

While hacking other carders, Max stumbled onto a participant in a massive fraud scheme. The vulnerability should never have existed: roughly half of all U.S. banks were not verifying the CVV code on ATM and debit transactions.

The cryptographic safeguard supposed to prevent card cloning was simply being ignored during ATM withdrawals.

Eastern European phishing rings were exploiting this flaw at scale. They targeted Citibank customers to harvest ATM numbers and PINs. Max compromised one of the cashiers working for a major Eastern European operation. He began stealing the phished ATM data before the original thieves could use it.

When the Eastern European boss discovered Max’s intrusion, he was impressed instead of angry. Max had demonstrated superior operational security. The boss cut off his original cashier and started feeding Max data directly.

Over a few months in 2004, Max pulled $250,000 from ATMs across the country. To avoid leaving fingerprints, he pressed buttons with paper or his fingernails. Sometimes he coated his fingertips with New-Skin liquid bandage.

It was fast, lucrative, and utterly illegal.

Max was now earning real money. But he still thought of himself as a white hat. In his mind, he was Robin Hood. He was stealing from banks and credit card companies that “deserved it” for charging consumers usurious interest rates and predatory lending.

Credit card fraud was “victimless,” he reasoned. Consumers were not liable for fraudulent charges.

This moral compartmentalization would define his psychology for years. He would happily hack and rob other criminals. But if someone paid him as the vendor “Digits,” he would never shortchange them. His reputation for honest dealing in a den of thieves became a point of pride.

The Restaurant Heist: 1.1 Million Cards

Max’s breakthrough came from a newly disclosed vulnerability in RealVNC remote desktop software. The exploit was elegant. With a small modification, any VNC client could become a “skeleton key” bypassing authentication on any RealVNC server.

Max immediately swept the entire IPv4 address space looking for vulnerable systems.

What he found was a gold mine: hundreds of restaurant point-of-sale (POS) systems were accessible via the exploit. These systems swiped customer credit cards, processed transactions, and stored the full magstripe dumps on backend servers. Often for weeks or months.

His first target was Pizza Schmizza in Vancouver, Washington. From there, he expanded nationwide. Burger Kings in Texas. Upscale restaurants in Manhattan. Everything in between.

By the time he was arrested, Max had stolen 1.1 million credit card numbers directly from restaurant POS terminals. The single largest source of dumps in his entire operation.

This method presaged the wave of large-scale retail breaches that would dominate the next decade. By 2007, the majority of credit card compromises came from brick-and-mortar merchants. Not online transactions. Restaurants accounted for the lion’s share.

Max had essentially pioneered the playbook criminals would use to breach TJX, Hannaford Bros., and Heartland Payment Systems.

The First Spear Phishing Attack

Not content with restaurant hacks, Max and a partner identified a new vulnerability in 2005. One serious enough Max believed it would give them “a free pass to own any company we want.”

Max crafted the first documented spear phishing attack targeting the financial industry. Posing as a journalist, he emailed 500 Capital One employees with a link. He claimed it was a news story about a data breach at the bank.

The link exploited the unpatched vulnerability. When employees clicked, Max’s malware installed itself. He got a foothold inside Capital One’s corporate network.

Max claimed to have used the same technique to compromise Bank of America, GMAC, and CitiMortgage. But his ambitions outpaced his ability to monetize. Capital One’s network was vast and complex. Max got lost in the labyrinth of servers and data. He got distracted by other priorities before he could find the financial crown jewels.

What distracted him? Pride, ego, and a quixotic mission to “fix” the carding scene.

The Hostile Takeover

By mid-2006, Max had grown frustrated with the fractured carding ecosystem. With ShadowCrew gone, five major forums competed for users, vendors, and transaction volume: CardersMarket, DarkMarket, TalkCash, ScandinavianCarding, and TheVouched.

Max believed this competition was inefficient. He believed a single dominant marketplace was necessary to restore order.

So he decided to eliminate the competition by force.

Max systematically hacked each rival forum using SQL injection, session hijacking, and other exploits. He stole their entire user databases complete with passwords, transaction histories, and private messages. He copied all forum content: tutorials, reviews, vendor listings. He imported everything into CardersMarket.

Then he dropped the database tables on each compromised site. He destroyed them overnight.

On August 16, 2006, Max sent an unapologetic mass email to thousands of carders worldwide: “Welcome to CardersMarket. You’re now a member of my site. The old sites don’t work anymore.”

Overnight, CardersMarket ballooned from 2,000 users to 6,000. It became the largest criminal marketplace in the world. Bigger than ShadowCrew at its peak.

Max had achieved his vision: a single, unified platform where criminals could conduct business efficiently under his benevolent dictatorship.

But the hostile takeover had unintended consequences. USA Today published an article about the incident. Cybersecurity expert Dan Clements said: “It’s like he’s created the Wal-Mart of the underground.”

Law enforcement agencies that had been monitoring the carding scene with mild interest suddenly focused their full attention on Iceman.

The FBI’s Master Splyntr

Max’s takeover of DarkMarket had an especially problematic wrinkle: one of DarkMarket’s administrators was an undercover FBI agent.

Keith Mularski was a 20-something FBI special agent assigned to the cybercrime division. He had spent months cultivating an online persona called “Master Splyntr.” Named after the sensei from Teenage Mutant Ninja Turtles.

Mularski had even convinced an anti-spam organization to list Master Splyntr as a notorious Polish spam king. This gave his alias a verifiable criminal backstory.

When Max hacked DarkMarket in August 2006, he compromised the site’s infrastructure. DarkMarket’s administrator was struggling to keep the site operational amid relentless DDoS attacks from CardersMarket.

Master Splyntr saw an opportunity. He approached the administrator and offered to help migrate DarkMarket to secure, attack-proof servers.

The administrator, desperate and impressed by Master Splyntr’s reputation, agreed.

In October 2006, DarkMarket moved to FBI-controlled servers in Pittsburgh.

Suddenly, the FBI was running one of the world’s largest criminal marketplaces. And Max Butler’s primary competitor.

For the next year, Mularski and Max waged a psychological war. Mularski, posing as Master Splyntr, would taunt Iceman publicly on the forums. He called him a snitch. He mocked his technical skills.

Max kept hacking DarkMarket trying to find proof it was compromised.

Eventually, Max discovered IP logs showing Master Splyntr was logging in from an FBI office in Pittsburgh. He tried to expose DarkMarket as a government honeypot. He presented evidence to other carders.

But by that point, Master Splyntr had built such deep trust within the community that when he simply denied Max’s accusations, the other carders believed him over Max.

After all, Max ran a rival forum. Of course he would spread lies about DarkMarket.

The rivalry illustrated a fundamental principle of undercover work: “When somebody first enters as a new member, they’re considered a potential cop. A month later, they’re less of a cop. Six months later, they’re a friend. A year later, they are trusted implicitly.”

By the time Max tried to blow Mularski’s cover, Master Splyntr was an insider and Max was the outsider making wild claims.

The Arrest

While Max and Master Splyntr sparred online, Chris Aragon’s operation was unraveling. In May 2007, one of Aragon’s cashiers was caught selling stolen credit cards. Facing serious charges, he immediately cooperated. He identified Aragon as his supplier.

When agents arrested Aragon, they found meticulous business records documenting every transaction, every crew member, every dollar earned.

Aragon, facing decades in prison and worried about his wife and two children, turned informant. He told the Secret Service everything about his partnership with Max. He identified Iceman as Max Butler and provided detailed information about their operations.

On September 5, 2007, Secret Service agents burst into Max’s San Francisco apartment while he was taking an afternoon nap. Max’s girlfriend was present. Max had moved them to a new apartment under a fake name. He had even bought a rope ladder in case he needed to escape quickly.

But there was no escape. Agents had been tailing him for weeks.

The Cold Boot Attack

Max’s computers were all encrypted with DriveCrypt full-disk encryption software. This was designed to make forensic analysis impossible.

But the Secret Service had brought a team of forensic experts from Carnegie Mellon University specifically to defeat this protection. They executed a “cold boot attack.” A cutting-edge technique that exploits the fact RAM retains data for several seconds (or minutes, if cooled) after power is cut.

The forensic team seized Max’s laptops while they were still running. They extracted the encryption keys from RAM. They decrypted everything within two weeks.

The encryption key Max had chosen was almost poetic: “!!One man make a difference!”

The Evidence

What investigators found on Max’s hard drives was staggering:

  • 1.8 million stolen credit card numbers from over 1,000 different banks
  • 1.1 million cards stolen from restaurant POS systems
  • ~700,000 cards stolen by hacking other carders
  • $86.4 million in fraudulent charges across all compromised cards
  • 5 terabytes of data including hacking tools, phishing emails, personal dossiers, and operational notes

The sheer scale stunned law enforcement. Banks reported the $86.4 million in fraudulent charges represented one of the largest credit card fraud cases in U.S. history at that time.

But Max personally earned far less than that figure suggests. He told investigators he made roughly $1 million total from his criminal activities.

He spent most of it on rent, meals, cab fare, and impulse purchases like a Sony robotic dog. He also gave money to homeless people on the street. He was still clinging to his Robin Hood self-image even as he operated a billion-dollar criminal marketplace.

The Sentencing

On June 29, 2009, Max Butler pleaded guilty to two counts of wire fraud in federal court in Pittsburgh. He faced up to 60 years in prison.

On February 12, 2010, Senior U.S. District Judge Maurice B. Cohill sentenced Max to 13 years in federal prison. The longest hacking-related sentence ever imposed in the United States at that time.

The sentence also included five years of supervised release and $27.5 million in restitution to be paid to the banks.

Max’s defense attorney argued Max had not personally been responsible for all $86.4 million in fraudulent charges. Many of the cards found on his hard drives had been stolen by other carders before Max hacked them. He called Max “a hacker’s hacker.” Someone who collected data compulsively but did not always use it.

Judge Cohill smiled at the phrase. “I don’t believe I’ve ever encountered the term ‘a hacker’s hacker’ very before,” he said.

Assistant U.S. Attorney Luke Dembosky emphasized the scale of Max’s crimes and the damage inflicted on thousands of banks and their customers. He acknowledged Max’s talents but noted those talents had been weaponized against innocent victims.

Chris Aragon received an even harsher sentence. On October 25, 2012, he pleaded guilty to 50 felony counts in California state court. He was sentenced to 25 years in state prison.

Seven members of Aragon’s crew received sentences ranging from a few months to seven years. Aragon’s wife was prosecuted for her role in reselling stolen goods on eBay. Their two children were placed in the custody of Aragon’s mother.

The Aftermath

Max was initially recommended for minimum-security Federal Prison Camp in Sheridan, Oregon. He ended up serving time at the Federal Correctional Center in Oakdale, Louisiana. His scheduled release date was April 2019.

But Max could not stay out of trouble, even behind bars.

In October 2014, according to federal prosecutors, Max obtained a smuggled Android phone inside the prison. He allegedly used the phone for more than a year before accessing stolen debit card numbers online in December 2015.

Then prosecutors claim Max used those stolen funds to finance a drone-smuggling operation. He directed accomplices to fly contraband into the prison yard via remote-controlled drones.

In November 2018, months before his scheduled release, Max was indicted on new federal charges related to the drone-smuggling scheme. He pleaded not guilty. He claimed he had been framed by a fellow inmate angry over a dispute about rules in a role-playing game.

Public records indicate Max was released from FDC Victorville at some point after 2019. His current whereabouts and activities are unknown.

Unlike Kevin Mitnick, who became a sought-after security consultant after serving time, Max’s post-prison life remains largely invisible.

What We Learn From Iceman

Max Butler’s story offers several lessons about talent, opportunity, systemic discrimination, and moral rationalization.

1. Employment Barriers for Convicted Hackers Remain Insurmountable

Max’s inability to find legitimate work after his first conviction remains one of the most tragic elements of his story. Despite having elite skills, professional references from top security researchers, and a proven track record, nobody would hire him.

This is not unique to Max. Employment discrimination against people with hacking-related felonies is widespread and legally permissible in most circumstances.

Research shows even with initiatives like the Fair Chance Business Pledge, convicted felons face significant barriers. Those with crimes directly related to their field of expertise face near-total exclusion.

Max’s experience underscores a fundamental question: If society refuses to reintegrate talented individuals who have served their time, where does it expect them to go?

2. Moral Compartmentalization Enables Escalation

Max’s ability to view himself as a Robin Hood figure, even while stealing millions of credit card numbers, illustrates how criminals rationalize their behavior.

He convinced himself credit card fraud was “victimless.” Consumers were not directly liable for fraudulent charges. He ignored the billions of dollars in costs absorbed by banks and passed on to consumers through fees and interest rates.

This type of moral compartmentalization is common among white-collar criminals. They often view their victims as abstract entities (corporations, governments) rather than real people.

Max even maintained a reputation for honest dealing within the criminal community. He never shortchanged paying customers. An ethical code coexisted uneasily with mass-scale theft.

3. Technical Virtuosity Does Not Equal Strategic Wisdom

Max was a brilliant hacker. There is no disputing it. He pioneered techniques like large-scale POS compromises and spear phishing attacks against financial institutions. These became standard tactics in the cybercrime playbook.

But his strategic judgment was catastrophically poor.

Instead of quietly profiting from CardersMarket’s success, Max launched a hostile takeover of rival forums. This drew massive law enforcement attention.

Instead of staying hidden, he engaged in a public rivalry with an FBI agent. Even after discovering DarkMarket was compromised.

Instead of cashing out and disappearing, he kept pushing. Driven by ego, pride, and a desire to “fix” the criminal ecosystem.

This pattern repeats across hacker history: Technical skill does not correlate with good decision-making under pressure. Many of the most gifted hackers have been caught because they could not resist showing off, taunting authorities, or pursuing perfectionism over pragmatism.

4. The Carding Forums Created a Self-Perpetuating Criminal Ecosystem

The rise of CarderPlanet, ShadowCrew, and their successors fundamentally changed cybercrime by applying principles of specialization and division of labor.

Before these forums, a criminal had to master every stage of credit card fraud: from hacking to card production to monetization.

The forums allowed specialization. One person could steal data. Another could produce fake cards. A third could handle cashouts.

This marketplace efficiency lowered the barrier to entry for cybercrime and increased the overall volume of fraud.

By 2006, e-gold was processing billions of dollars in transactions. Much of it criminal in nature. Max’s CardersMarket, at its peak, had 6,000 active users worldwide. They collectively generated millions of dollars in fraudulent transactions weekly.

The forums also created a culture complete with hierarchies, reputations, mentorship, and even in-person meetups. This normalized criminal behavior and insulated members from moral doubt.

When everyone around you is stealing credit cards, it becomes business.

5. Law Enforcement Adaptation Works

Keith Mularski’s infiltration of DarkMarket represented a watershed moment in cybercrime enforcement.

By running an actual criminal marketplace for nearly two years, the FBI gathered intelligence on more than 2,500 active carders. They tracked transaction patterns. They ultimately arrested more than 60 individuals worldwide.

Mularski’s success came from patience and deep immersion. He spent hours every day, sometimes up to 15 hours, maintaining his Master Splyntr persona. He built relationships. He earned trust.

When Max tried to expose him as a fed, the community rallied to Master Splyntr’s defense. He had become an insider.

This operation set the template for future undercover work on dark web marketplaces. Including the Silk Road investigation and subsequent darknet takedowns.

The lesson: Criminals operate in the shadows. But with enough time and commitment, law enforcement infiltrates even the most paranoid communities.

The Unanswered Question

Max Butler is not Kevin Mitnick. He has not emerged from prison to become a celebrated security consultant, keynote speaker, or author. His story does not have a redemption arc. At least not yet.

What Max’s story does offer is a raw, unvarnished look at how someone with extraordinary talent and good intentions drifts into criminality when legitimate paths are closed.

It is a story about the consequences of societal rejection. The dangerous appeal of virtuosity. The seductive power of moral rationalization.

Max wanted to be a hero. He wanted to be the one who made the internet safer. Who outsmarted the bureaucrats. Who redistributed wealth from predatory banks to the underground.

In the end, he was another criminal. Smarter than most. More self-aware than many. But a criminal nonetheless.

When the FBI came knocking, his encryption key read: “!!One man make a difference!”

It read less like a manifesto and more like an epitaph for a dream that died in a San Francisco apartment on a September afternoon. Surrounded by five terabytes of stolen data and the wreckage of what might have been.

The question Max Butler’s story leaves us with is this: How many brilliant minds are we losing to prison because we refuse to create pathways back from mistakes?

How many more Max Butlers are out there right now, talented and angry, searching for how to monetize skills society will not let them use legitimately?

The answers, unfortunately, are more than we would like to admit.

more insights

When the Hacker Was an Algorithm

February 2, 2026

When the Hacker Was an Algorithm: Inside the First AI-Orchestrated Cyber Espionage Campaign In September 2025, Anthropic security engineers spotted something wrong in their system

Read more >

The Phantom Hacker

January 30, 2026

The Phantom Hacker: Dylan Wheeler Got Away With $100 Million in Cybercrime Four teenage hackers stole over $100 million from Microsoft, Epic Games, and the

Read more >

ClawdBot/Moltbot

January 27, 2026

ClawdBot/Moltbot: When Viral AI Tools Become Security Nightmares ClawdBot exploded onto the tech scene in January 2026. Within three days, the open-source AI assistant rocketed

Read more >